PT-2019-13877 · 3Cx · 3Cx Phone
Conan.Chiles
·
Published
2019-08-11
·
Updated
2020-08-24
·
CVE-2019-14935
CVSS v3.1
7.8
High
| Vector | AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H |
Name of the Vulnerable Software and Affected Versions
3CX Phone version 15
Description
The issue concerns insecure permissions on the installation directory, specifically the "%PROGRAMDATA%3CXPhone for WindowsPhoneApp" directory, which allows Full Control access for Everyone. This insecurity leads to privilege escalation due to a StartUp link.
Recommendations
For version 15, consider restricting access to the "%PROGRAMDATA%3CXPhone for WindowsPhoneApp" directory to prevent Full Control access for Everyone, and review StartUp links for potential removal or modification to mitigate the risk of privilege escalation.
Exploit
Fix
Incorrect Permission
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
3Cx Phone